Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

Release Note for CTE for Kubernetes

search

Release Note for CTE for Kubernetes

Release Note Version Date
1.1.0.31 2022-11-30

Container Image Fingerprint

Verify that the Container Image Fingerprint matches the version that you are installing.

New Features and Enhancements

  • Data Transformation is now supported

User can now use dataxform tool for initial encryption, or key rotation, of encrypted data on persistent volumes. See Offline Data Transformation for more information.

  • Openshift is now supported

    CTE for Kubernetes now supports deployment on Red Hat OpenShift platform (v4.9 to v4.11) for both self-managed and cloud deployments.

  • Support for signature sets

    You can deploy signature set verification for applications trusted to access data on encrypted persistent volumes. See Signature Collection Tool

Resolved Issues

  • AGT-39951: Signature sets supported in CM policies but not in CTE for Kubernetes

    Signature sets are now supported in release 1.1.0 of CTE for Kubernetes.

Known Issues

  • AGT-39000: CipherTrust Manager may not report all pods using the same CTE PVC on the same node

    Work-around:

    CTE PVCs with the following access modes: ReadWriteOnce, ReadWriteMany or ReadOnlyMany, may fail to report to CipherTrust Manager all of the pods using the same volume on the same node. This anomaly is due to how Kubernetes handles a single volume used across multiple pods in the same node. This reporting anomaly in CipherTrust Manager does not mean that the CTE PVC is not attached to the pod. It is recommended that the user describe the CTE PVC (# kubectl describe pvc) to find the list of all of the pods that are using a particular CTE PVC.

  • AGT-39143: EBS volumes are not attaching to the Kubernetes cluster when using dynamic provisioning for a second time

    Work-around:

    While CTE for Kubernetes is compatible with multi-zone Persistent Volumes, CTE for Kubernetes does not automatically copy topology information from the source PVC. Users can run into situations where a CTE volume may fail to mount if the CTE staging pod, for the source PVC, is started on a node not covered under the topology in that PVC. In order to guarantee that pods and volumes are scheduled in the correct nodes, a user must modify the CTE PVC, or PV with matching topology information, from the source PV.

    For more information about Topology-Aware Volume Provisioning, see Compatibility with Topology-Aware Volume Provisioning

On this page